You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2003/05/08 17:21:53 UTC

DO NOT REPLY [Bug 19767] New: - Digest authentication doesn't work with JDBCRealm

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19767>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19767

Digest authentication doesn't work with JDBCRealm

           Summary: Digest authentication doesn't work with JDBCRealm
           Product: Tomcat 4
           Version: 4.1.24
          Platform: PC
        OS/Version: Windows NT/2K
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: sradicchio@hotmail.com


PROBLEM

Configuring <auth-method>DIGEST</auth-method> for a web application using 
JDBCRealm doesn't work.
Is not possible to authenticate users.


ANALYSIS

Debugging source code of org.apache.catalina.realm.JDBCRealm class I noticed:

1) the method
authenticate(String username, String clientDigest,
             String nOnce, String nc, String cnonce,
             String qop, String realm,
             String md5a2)
of the class org.apache.catalina.realm.RealmBase
calculates the md5a1 value calling the method
getDigest(String username, String realmName)
of the same class

2) the method
getDigest(String username, String realmName)
calculates the md5a1 value getting the user password from the method
getPassword(String username)
of the org.apache.catalina.realm.JDBCRealm class

In this algorithm there are two problems:
- getPassword() must return the cleartext password, so you have to save it 
somewhere in clear
- at the moment getPassword() is not implemented and always returns null

3) if you implement getPassword(), the method authenticate() still returns null 
because it tries to get the Principal calling the method
getPrincipal(String username)
of the org.apache.catalina.realm.JDBCRealm class
but at the moment this method is not implemented and always returns null


SOLUTION

I think there are two main things to solve:
- implement getPassword() and getPrincipal() in the JDBCRealm class
- provide the possibility to save on the DB not the cleartext password but the 
md5a1 value
(the md5a1 value is the digest of the following string: username + realmname + 
password)


COMMENTS

At the end you should decide to use 4 different configurations:
1) <auth-method>BASIC and DB with cleartext pwd (working)
2) <auth-method>BASIC and DB with digest of pwd (working)
Main limits of this solution are:
. password sent in clear on the network
. on the DB : if pwdA = pwdB then digestA = digestB
3) <auth-method>DIGEST and DB with cleartext pwd (not working)
. you have only to implement getPassword() and getPrincipal in class 
org.apache.catalina.realm.JDBCRealm
4) <auth-method>DIGEST and DB with md5a1 (not working)
. you have to modify the getDigest() method in class 
org.apache.catalina.realm.RealmBase providing the chance to get this value 
directly from the DB


Bye
  Giovanni

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org